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IN THE UNITED STATES DISTRICT COURT 
FOR THE DISTRICT OF DISTRICT OF COLUMBIA 



CISCO SYSTEMS, INC., 



Plaintiff/ 
Counterclaim-Defendant, 



TELES AG INFORMATIONSTECHNOLOGIEN, 

Defendant/ 
Counterclaim-Plaintiff. 



Civil Action No. 
l:05-CV-02048 (RBW) 



DECLARATION OF JOHN N. STEWART IN SUPPORT OF MOTION FOR 
ENTRY OF CISCO'S PROPOSED PROTECTIVE ORDER 

I, John N. Stewart, declare as follows: 

1 . I am a Vice President and the Chief Security Officer of Defendant Cisco Systems, 
Inc. ("Cisco"). Cisco is the worldwide leader in products for networking for the Internet. I have 
personal knowledge of the facts stated herein and, if called as a witness, could and would 
competently testify thereto. 

2. As Cisco's Chief Security Officer, I head an entire organization within Cisco 
dedicated to the security of Cisco's confidential information. Cisco makes a considerable effort 
to make sure that its confidential information remains confidential. As I discuss below, the 
effect of Cisco's confidential information, and particularly its software source code, being 
disclosed to the public will have significantly harm not only Cisco, but also third party entities 
including the United States ("U.S.") government. I understand that the party opposing Cisco in 
this litigation is a competitor of Cisco and is asking the Court to require Cisco to turn over the 
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source code for a number of important Cisco products to that party's attorneys, and thus to take 
the source code out of Cisco's protection and control. I make this affidavit to ask the Court not 
to allow this to occur, and instead to adopt appropriate procedures to protect the security of 
Cisco's code and to allow that code to remain in the custody and care of Cisco's attorneys or an 
appropriately secure third party site. 

3 . Among the types of information that Cisco considers to be highly confidential and 
that it expends significant time, energy and money to protect from unauthorized use and 
disclosure is the source code for the products sold by Cisco. I understand that the opposing party 
in this action has accused at least the following products of infringement in this case: 

• the 2600 Series Multiservice Platforms (e.g., Cisco 2691 Multiservice Platforms, 
Cisco 2651XM Multiservice Routers, Cisco 2650XM Multiservice Routers, Cisco 
2621XM Multiservice Routers, Cisco 2620XM Multiservice Routers, Cisco 2612XM 
Multiservice Routers, Cisco 261 1XM Multiservice Routers, and Cisco 2610XM 
Multiservice Routers). 

• the 2800 Series Integrated Services Routers (e.g., Cisco 2851 Integrated Services 
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Routers, Cisco 281 1 Integrated Services Routers, and Cisco 2821 Integrated Services 
Routers) 

• the 3600 Series Multiservice Platforms (e.g., Cisco 3662 Telco Versatile DCN Access 
Platforms) 

• the 3700 Series Multiservice Access Routers (e.g., Cisco 3745 Multiservice Access 
Routers and Cisco 3725 Multiservice Access Routers) 

• the 3800 Series Integrated Services Routers (e.g., Cisco 3845 Integrated Services 
Routers and Cisco 3825 Integrated Services Routers) 
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• the 7200 Series Routers (e.g., Cisco 7204VXR Routers and Cisco 7206VXR Routers), 
and 

• the 7500 Series Routers (e.g., Cisco 7507 Routers and Cisco 7513 Routers) 

4. These Cisco products include various routers and switches that are heavily used 
throughout the world for telecommunications and for access to, and operation of, the Internet. 
Each Cisco product operates using proprietary Cisco software that has been written and honed 
over many years of research and effort by Cisco and its programmers and product engineers. 
These software programs and the millions of lines of source code for these programs represent 
some of Cisco's most important and valuable assets. The software within these products 
includes different versions of Cisco's Internet Operating Software (IOS), as briefly described in 
the document at http://newsroom.cisco.com/dlls/global/a siapac/news/2004/ts 03-03.html, a copy 
of which I have attached as Exhibit A. The software within these products also includes code 
that is specifically designed to protect the security of the information transmitted by those 
products on the Internet or on telecommunications networks, as shown for example in the press 
release at http://newsroom.cisco.com/dlls/2005/prod_021505b.html?CMP=AF17154, a copy of 
which is attached to this declaration as Exhibit B. Additional information about the nature of the 
security systems contained within these products can also be found in 
http://newsroom.cisco.com/d 11s/ prod 052003d.html , a copy of which is attached as Exhibit C. 

5. If any portion of the source code for the operating systems of Cisco's products are 
made public, not only could Cisco suffer considerable financial damage and loss of sales from 
unauthorized use and copying of the code, but the potential for persons to misuse the code to 
hack into Cisco operating systems would create significant security problems for Cisco and for 
Cisco's many customers throughout the world. These customers include the U.S. Government 
and many major public institutions and private corporations. Cisco products are used, for 
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example, by multiple government institutions and Cisco even provides special training on its 
products to enable Federal systems administrators to maintain the security of information 
handled by Federal agencies, as indicated at 
http://newsroom.cisco.com/dlls/20Q6/prod 061306.html , a copy of which is attached as Exhibit 

D. 

6. It is important for the Court to understand that Cisco does not disclose the source 
code for its products to its customers when it sells its products. The term "source code" is a 
name given to certain files containing a multitude of instructions written in a human readable 
format that make up a computer program. The fact that the source code is readable by trained 
Cisco computer programmers and is written in a structured format allows the programmers to 
understand the literally millions of lines of code that make up the software that is used to operate 
Cisco's products, and thus to either modify these files or to add new programs or routines to the 
Cisco code. (As a result, the source code could easily be misused to attack the security of the 
Cisco products.) Cisco's source code files, before they are put in any product, are processed by a 
compiler into an "executable file," which embodies the code in a way that is not accessible or 
readable and thus not subject to abuse. An "executable file," rather, is readable only by a 
computer processor within the product. Moreover, an executable file cannot be decompiled into 
the original source code. If someone were to decompile an executable file, for example an image 
of the operating system for a Cisco product, a jumble of low level code would result making it 
virtually impossible to decipher in any meaningful way. The software distributed on Cisco's 
products is in this "executable" format, and is not "source code" of the kind at issue here. 

7. Like all companies, Cisco has a significant amount of confidential and proprietary 
information. Cisco employs a number of different security systems and procedures to protect the 
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confidentiality of its source code and other confidential information. As a first measure of 
security, for example, Cisco requires employees who may have access to its confidential 
materials to undergo a thorough background check and agree to abide by a strict confidentiality 
agreement. Employees also are expected to adhere to Cisco's code of business conduct, which 
requires the protection of the confidential and proprietary information of Cisco and its customers, 
including Cisco's source code. In addition to the initial confidentiality agreement, employees 
with access to confidential material must re-certify their adherence to Cisco's code of business 
conduct every year for the duration of their employment. 

8. Access to Cisco's facilities also is restricted, as Cisco's policies provide for 
security badges access for employees and registration and escort of guests. It is Cisco's policy 
not to allow persons without a security badge within Cisco's facilities unless escorted by an 
individual with a security badge. 

9. Because the source code for Cisco's products is one of Cisco's most valuable 
assets, Cisco takes extra security steps to guard the confidentiality of the source code. These 
particular additional security precautions may not be required for other types of confidential 
information. 

10. For example, Cisco's security policies and practices limit access to its source code 
only to certain employees, and even then on a restricted basis. Access to the source code is 
limited to the minimum amount of access that is reasonably necessary for an employee to 
perform his or her duties. For example, a software engineer working on the code for the image 
of IOS for the CRS1 product will not typically have access to the code for the image of IOS for 
other products. Similarly, a typical software engineer working on the source code for the PIX 
firewall product will not typically have access to the IOS source code. 
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1 1 . Cisco also employs security measures with respect to how and where source code 
is accessed. In order for an individual to access the source code, the user must access Cisco's 
systems with appropriate login credentials from an approved location within Cisco's corporate 
network, which is guarded from the outside Internet by firewalls and intrusion prevention 
systems. The source code is maintained in particular data centers. Prior to granting access to the 
source code stored in a data center, the data center verifies a user's login credentials and the 
physical address of the Cisco computer from which the user is accessing the data center. In this 
manner, Cisco maintains physical control over the computers approved for accessing the source 
code, as well as control over the login credentials approved for accessing the source code, and 
insulates those computers from access by outside personnel. 

12. Cisco also employs substantial security measures as to where its source code is 
stored. As noted above, Cisco's IOS is a critical part of most of Cisco's products. A specific 
image of the IOS source code is used for each product, and from this source code the executable 
code is compiled for use on the actual physical product itself. To minimize security risks, the 
various images of the IOS source code are stored in a minimum number of locations within 
Cisco. A copy of each released image of the IOS source code (i.e. those images in use by the 
public) is archived in a closely guarded central data repository. A development copy of an image 
of IOS source code actively under development is also stored in a data center associated with the 
facility developing the image. Each image of the IOS source code is not stored in any other 
location. 

13. As noted above, Cisco's source code is not even available to its customers, as the 
customers receive only an executable file, not the actual source code. If a customer's product 
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requires updated software code, Cisco provides the customer with new executable files, and not 
with the source code. 

14. Because Cisco's IOS code is highly integrated, if even portions of Cisco's source 
code is inadvertently or otherwise disclosed to a third party or made public, the probability of a 
hacker penetrating Cisco's security measures has the potential to increase dramatically. The 
source code could be used by a hacker or an unauthorized user as a "road map" to enable them to 
breach the security measures built into the products and thus gain access to the information and 
data being processed and transmitted by the Cisco products. 

15. Cisco takes the security of its confidential source code very seriously, in part 
because Cisco's customers use Cisco's products to receive, store and transmit just about every 
kind of confidential information imaginable. These customers depend upon Cisco to maintain 
the security of the Cisco products and to protect against unauthorized users from hacking into 
Cisco products and violating the confidentiality of the customers who use those products. And 
the security of Cisco's products depends in large part upon the confidentiality of the source code. 

16. Because of the success of Cisco' s products and the positioning of those products 
as routers and switches in telecommunications networks and in the Internet, Cisco's products 
play an important role in the flow and security of information on the Internet and on other 
telecommunications networks, as evidenced by the sophisticated security measures that are built 
into Cisco's IOS code. If the confidentiality of Cisco's source code were compromised, Internet 
security also could be compromised. This could negatively impact Cisco and its customers, 
including financial institutions, various government entities, large-scale public and private 
organizations, and many users of the Internet in the U.S. and abroad. 
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17. I understand that, for certain purposes, Federal law allows for discovery of 

confidential information during litigation, even possibly of confidential information such as the 

Cisco source code. I am also informed that the U.S. District Court in Texas recently issued a 

protective order of the type that Cisco is asking for here, and in so doing adopted protections that 

would help protect against unauthorized disclosure and use of the Cisco source code. A copy of 

2-05CV-268 (TJW) 
the protective order entered in that case, case number is attached as Exhibit E. I ask the 

A 

Court to adopt similar protections here, to help protect against violations of the security and 
confidentiality of the Cisco source code, if that code must be produced in this litigation. 

I declare under penalty of perjury under the laws of the United States of America that the 
foregoing is true and correct. 

i /O )1A 2006 in ^k*yL/i<L. . California. 
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C7 ~~ John N. Stewart 
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